56 lines
1.6 KiB
Diff
56 lines
1.6 KiB
Diff
From 6ed7dcf2f6f71d6db5fa89e0b965c10a165f315c Mon Sep 17 00:00:00 2001
|
|
From: root <root@localhost.localdomain>
|
|
Date: Mon, 8 Jan 2024 17:09:46 +0800
|
|
Subject: [PATCH] libsepol: more strict validation
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Ensure the ibendport port is not 0 (similar to the kernel).
|
|
|
|
More general depth test for boolean expressions.
|
|
|
|
Ensure the boolean id is not set for logic operators.
|
|
|
|
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
|
Acked-by: James Carter <jwcart2@gmail.com>
|
|
|
|
Reference: https://github.com/SELinuxProject/selinux/commit/7b754f703d704c9d9931497536771e6124ca2418
|
|
Conflict: Context adaptation
|
|
---
|
|
libsepol/src/policydb_validate.c | 6 +++++-
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
|
|
index da3c7c5..09f0813 100644
|
|
--- a/libsepol/src/policydb_validate.c
|
|
+++ b/libsepol/src/policydb_validate.c
|
|
@@ -479,13 +479,15 @@ static int validate_cond_expr(sepol_handle_t *handle, struct cond_expr *expr, va
|
|
case COND_BOOL:
|
|
if (validate_value(expr->bool, boolean))
|
|
goto bad;
|
|
- if (depth == (COND_EXPR_MAXDEPTH - 1))
|
|
+ if (depth >= (COND_EXPR_MAXDEPTH - 1))
|
|
goto bad;
|
|
depth++;
|
|
break;
|
|
case COND_NOT:
|
|
if (depth < 0)
|
|
goto bad;
|
|
+ if (expr->bool != 0)
|
|
+ goto bad;
|
|
break;
|
|
case COND_OR:
|
|
case COND_AND:
|
|
@@ -494,6 +496,8 @@ static int validate_cond_expr(sepol_handle_t *handle, struct cond_expr *expr, va
|
|
case COND_NEQ:
|
|
if (depth < 1)
|
|
goto bad;
|
|
+ if (expr->bool != 0)
|
|
+ goto bad;
|
|
depth--;
|
|
break;
|
|
default:
|
|
--
|
|
2.33.0
|